A Type System for Expressive Security Policies∗ David Walker Cornell University Abstract Certified code is a general framework for verifying secu- rity properties in untrusted programs. To use this security Certified code is a general mechanism for enforcing security architecture, programmers and compilers must attach a col- properties. In this paradigm, untrusted mobile code carries lection of annotations to the code they produce. These an- annotations that allow a host to verify its trustworthiness. notations can be proofs, types, or encodings of some other Before running the agent, the host checks the annotations kind of formal system. Regardless, there must be some way and proves that they imply the host’s security policy. De- of reconstructing a proof that the code obeys a certain secu- spite the flexibility of this scheme, so far, compilers that rity policy, for upon receiving annotated code, an untrust- generate certified code have focused on simple type safety ing web browser or operating system will use a mechanical properties rather than more general security properties. checker to verify that the code is safe before executing it. For Security automata can specify an expressive collection example, Necula and Lee’s proof-carrying code (PCC) im- of security policies including access control and resource plementation [20, 19] uses a first-order logic and they have bounds. In this paper, we describe how to instrument well- shown that they can check many interesting properties of typed programs with security checks and typing annota- hand-coded assembly language programs including access tions. The resulting programs obey the policies specified control and resource bound policies [22]. by security automata and can be mechanically checked for In order to make certified code a practical technology, it safety. This work provides a foundation for the process of must be possible to generate code and certificate automati- automatically generating certified code for expressive secu- cally. However, so far, certifying compilers have focused on rity policies. a limited set of properties. For example, the main focus of Necula and Lee’s proof-generating compiler Touchstone [21] 1 Introduction is the creation of efficient code; the security policy it enforces is the standard type and memory safety. Other frameworks, Strong type systems such as those of Java or ML provide including Kozen’s efficient code certification (ECC) [8] and provable guarantees about the run-time behaviour of pro- Morrisett et al.’s Typed Assembly Language (TAL) [18, 17], grams. If we type check programs before executing them, we concentrate exclusively on standard type safety properties. know they “won’t go wrong.” Usually, the notion “won’t go The main reason that certified code has been used in this wrong” implies memory safety (programs only access mem- restricted fashion is that automated theorem provers are not ory that has been allocated for them), control flow safety powerful enough to infer properties of arbitrary programs (programs only jump to and execute valid code), and ab- and constructing proofs by hand is prohibitively expensive. straction preservation (programs use abstract data types Unable to prove security properties statically, real-world se- only as their interfaces allow). These properties are essential curity systems such as the Java Virtual Machine (JVM) [12] building blocks for any secure system such as a web browser, have fallen back on run-time checking. Dynamic security extensible operating system, or server that may download, checks are scattered throughout the Java libraries and are check and execute untrusted programs. However, standard intended to ensure that applets do not access protected re- type safety properties alone do not enforce access control or sources inappropriately. However, this situation is unsatis- restrict the dissemination of secret information. fyingforanumberofreasons: ∗ This material is based on work supported in part by the AFOSR • The security checks and therefore the security policy grant F49620-97-1-0013 and in part by the National Science Founda- is distributed throughout library code instead of being tion under Grant No. EIA 97-03470. Any opinions, findings, and con- clusions or recommendations expressed in this publication are those specified declaratively in a centralized location. This of the authors and do not reflect the views of these agencies. can make the policy difficult to understand or change. • There is no way to verify that checks have not been forgotten or misplaced. • There is no way to optimize away redundant checks and certify that the resulting code is safe. Figure 1 presents a practical alternative for producing certified code. First, we give a formal specification of a se- curity policy. Then, during compilation, the security policy 1 dictates when to insert run-time checks. For example, the High-level High-level security policy might state that programs cannot use the Application System network after they have read any local files. In this case, Program Interface the compiler places run-time checks around every call to a network operation to ensure the program does not use the network after reading a file. Next, the program is opti- mized, removing run-time checks whereever it is safe to do Security Instrument Policy Annotate so. However, each time the optimizer removes a check from Specification the program, it must leave behind enough information to be able to verify that calling the function is still safe. When compilation has been completed, software will ver- Instrumented Secure ify that the resulting code is safe and then link the appli- Application Annotated cation program with the rest of the system. In order to Program Interface ensure the security policy is obeyed, the software will ob- Optimize viously have to use the formal policy specification. It can either do this directly or, as shown in Figure 1, it can com- Verify pile the high-level interface into a low-level interface and use & Link the specification to annotate the result. For example, if the high-level system interface contains a network API, and the security policy is the one described above, an automated tool Secure might compile the API into some low-level format and an- Executable notate the low-level code with pre-conditions requiring that the application has not yet read a file. When the verifier checks an application that uses the network, it must be able Figure 1: Architecture of a Certifying Compiler to prove these pre-conditions are satisfied. This framework has a number of advantages over other security architectures. First, by defining the security policy 2 Overview independently of the rest of the system, it may be simpler for the implementer of the security system to write or change In this paper, we explore one particular instance of the gen- the policy, and easier for the applications programmers to eral framework: understand it. The fact that the security policy can be de- fined in terms of a high-level system interface rather than • Our source language is type-safe. Type safety enforces its low-level implementation will also make the policy easier many essential safety properties statically without hav- to understand. ing to resort to run-time checking. Second, for a large class of security properties, a com- piler can use run-time checks to ensure that any program • Our formal security policies are specified using secu- can be automatically rewritten so that it is provably secure. rity automata [24, 27]. We have chosen security au- This mechanism relieves the programmer of the burden of tomata because they are very expressive, able to en- constructing proofs that his or her programs obey the se- code any safety property [24]. Moreover, security au- curity policy. In fact, although applications programmers tomaton specifications can always be enforced by in- need to be aware of and to follow the security policy (oth- serting run-time checks. Given a security automaton erwise their programs will be terminated prematurely), the specification, a compiler can automatically rewrite any high-level programming model need not change at all. source language program so that it obeys the security Third, there is clear separation between the trusted and policy. untrusted components of the system. More precisely, we • must trust that: Our target language is dependently-typed. We encode the security automaton definition in the types of the • The formal security policy specification implies the de- security-sensitive operations. The type system is pow- sired semantic properties. erful enough to enforce any security automaton spec- ification and yet is flexible enough to allow a number • The annotated low-level system interface enforces the of optimizations. formal security policy specification and the code that performs run-time checks is correct. Why use a type system? There are other frameworks for static verification. For example, Necula and Lee use a • The verification software is correct. verification-condition generator that emits proof obligations However, because verification is independent of the instru- in the form of first-order logic formulae with some exten- mentation algorithm, we do not have to trust the application sions. Such a framework has clear advantages: First-order program or its compiler. Untrusted parties can write their logic is extremely expressive and yet has simple proof rules. own application-specific instrumentation and optimization One advantage of type theory is that it handles higher-order transformations. In fact, programmers do not even have to features such as first-class functions and continuations nat- use the same source language. They can write programs in urally. This fact is particularly important when handling different languages and then compile them into a common low-level languages because even the results of compiling intermediate form or even write low-level code by hand. Re- procedural languages without function pointers are natu- gardless of the source of the application code, it can and will rally higher-order: When a piece of machine code “calls” or be verified before it is linked into the extensible system.